Privacy Policy

1. Introduction

Last updated: 1 June 2026

Sort My Legacy ("we," "us," "our") is the name of the service; it is operated by Bindal Infotech at sortmylegacy.com. We are committed to protecting your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA) and applicable Indian laws. This Privacy Policy describes our practices regarding the collection, use, storage, and disclosure of your information.

Digital-only service: Sort My Legacy is a fully digital platform. We do not ship any physical products. All data and services are delivered online. No physical delivery or shipping is involved.

2. Data Controller

Bindal Infotech (operating Sort My Legacy) is the data controller for personal data processed through the Service. For DPDPA rights, privacy grievances, and regulatory correspondence, use the Legal entity and compliance contact at the end of this page. You may also use our contact form for general inquiries.

3. Personal Data We Collect

Account and profile:

• Email address, name, mobile number
• Date of birth, gender (optional)
• Address and identification details (e.g., PAN, Aadhaar) if you choose to provide them

Usage data:

• Quiz answers, inventory entries, will drafts, document metadata
• Family member details you add
• Legacy messages (letters and video links you create for your recipients)
• Log data (IP address, browser type, pages visited)

Health information (only if you use these optional features):

• Medical directives: life-support preferences, organ-donation wishes, do-not-resuscitate (DNR) preferences, and medical power-of-attorney details
• Emergency card: blood type, allergies, and emergency medical notes

You provide this health information voluntarily. We store it solely to make it available to you and to the family members, executors, or first responders you choose to share it with. We do not use health information for advertising, we never sell it, and we do not share it with third parties except the service providers needed to operate the Service (see Section 6) or where required by law.

Payment data:

• Processed by Razorpay; we do not store full card numbers
• Billing address, transaction identifiers

Password vault: Passwords are encrypted client-side. We never receive or store your master password or decrypted passwords. Zero-knowledge architecture.

4. Purpose and Use

We use your data to:

• Provide and improve the Service
• Authenticate your account and enforce security
• Process payments and manage subscriptions
• Send transactional emails (e.g., password reset, plan updates)
• Send optional marketing with your consent
• Comply with legal obligations
• Analyze usage to improve the product (aggregated, anonymized)

5. Legal Basis

We process your data based on: (a) your consent where required, (b) performance of our contract with you, (c) our legitimate interests (e.g., security, fraud prevention), and (d) legal obligations.

6. Data Sharing

We may share data with:

• Service providers: Google/Firebase (authentication and Google Sign-In), Supabase (database and file storage), Razorpay (web payments), Google Play and Apple App Store (in-app purchases), Resend (transactional email), and Meta Business WhatsApp API (via LeminAI) for reminders and alerts
• Legal authorities: When required by law or to protect rights and safety
• Family/executors: Only as you configure (e.g., post-death access upon verification)

We do not sell your personal data. We never share your health information or password-vault contents with any third party for advertising, and we never sell them.

7. Data Storage and Retention

Data is stored on servers in India where possible. Some of our service providers (for example, authentication and transactional-email infrastructure) may process limited data outside India; where this occurs we rely on contractual and technical safeguards to protect it. We retain your data for as long as your account is active and as needed to provide the Service. After account deletion, we retain data as required by law (e.g., tax records) and delete or anonymize within our retention schedule (typically 30 to 90 days post-deletion, except where law requires longer).

8. Your Rights

Under DPDPA and our practices, you have the right to:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Erasure: Request deletion of your data (subject to legal retention) — see our Account & Data Deletion page
• Portability: Request your data in a portable format
• Withdraw consent: Where processing is consent-based
• Grievance: Lodge a complaint with the Data Protection Board of India

To exercise these rights, email the compliance officer at the address in Legal entity and compliance contact below, or use our contact form.

9. Security

We implement technical and organizational measures including encryption (in transit and at rest), access controls, and secure authentication. The password vault uses client-side encryption; we cannot access your stored passwords. You are responsible for safeguarding your account credentials and master password.

10. Cookies and Tracking

We use essential cookies for authentication and session management. We may use analytics cookies to understand usage (anonymized). You can manage cookie preferences in your browser. We do not use third-party advertising cookies.

11. Children

The Service is not intended for users under 18. We do not knowingly collect data from minors.

12. Changes

We may update this Privacy Policy. We will notify you of material changes via email or a notice on the Site. Continued use after changes constitutes acceptance.

13. Contact

For privacy questions or to exercise your rights, use the Legal entity and compliance contact below, or our contact form.